TOPIC: Dynamic VLANs on the cheap?

First of all, you'll have to excuse my less than complete description of my availible equipment, because since it has come into our possession, I've been rather thoroughly segregated from it. However, I'd rather not wait untill I finally get a chance to start playing with it to start asking questions. I'd rather weed out the impossible or infeasible before hand, or at least, as much as I can.

I know that the vast majority of the switches I'll be dealing with will be 24pt 2950's. As I said, I don't have the exact model number, but they're all 10/100, no gigabit for the users. There are some switches that are either 10 or 12 pt gigabit, with the two GBIC (is that right?) connectors on the right, but those will be on a seperate network segment anyways.

So the question is, working with 2950's, are there any software packages I could, say, throw on a workstation to act as a VMPS server? Preferably running some form of WinNT, but I could possibly sell a linux or BSD solution aswell. As I read it in the VLAN section, I'd need a 4000+ series switch. And that just isn't going to happen. Even if I *DID* pull that much water in this organization, it would be supream overkill for the kind of network we're talking about.

And of course, I'm open to alternative suggestions. The only reason I'm actually even considering Dynamic Vlans in the first place, is that the user population of this network will be relatively, fluid, as it were. So it would be very helpfull if there were a way we could deny even simple TCP/IP services to Joe Schmoe who shows up with his laptop running an unpatched version of Windows 2000 he got off the internet 4 years ago and never put behind a firewall . So far Dynamic VLANs would seem to be a perfect fit for this, were it not for the hardware requirements.

Again, any suggestions in this would be greately appreciated. Anything would beat the current method of just doing network scans and having to physically track down individuals who aren't in compliance with our naming scheme, or whatever. This is, as you can imagine, a nightmare.

-Triscuit

EDIT: I finally managed to dig up OpenVMPS about 3 or 4 pages deep into a google listing. However, any WinNT programs that perform similar functions, or just a different/better way of locking down my TCP/IP connectivity would be awesome.

I'm not sure dynamic VLANs are what you really need. I know you said that the user population of the network will be relatively fluid - what did you mean by this? Will the same people be moving from switchport to switchport, or will you just be having employees and perhaps consultants coming in and out of the office at random intervals?

If the employees will be using the same switchports, you could get by with static mac address port security, although it will be a pain to administer each time someone comes or goes - perhaps setting an inactivity aging time would work. But, if you're just trying to keep an unexpected machine off the network, this will work.

As it has been suggested in another post I read, this is really more of a security policy issue than anything else - and those can be the toughest to enforce, especially if you don't have one.

Yeah, I've been rediculously pre-occupied, and completely forgot about this question for a long while, so... yeah. Sorry 'bout that.

Anyway... perhaps a more thorough description of "fluid" would be in order. The situation is as thus: We have to prepair for a variety of situations. It is absolutely probable that I will be providing service to units with less than cooperative network staff, and I need to be able to, upon detecting the presence of "anamolous traffic" (be it an infected machine, excessive bandwidth usage, or a machine that has no business on our network to begin with) segregate that machine from the rest of the network as quickly and efficiently as possible.

Likewise, dealing with over-confident and under-competent admins will be that much easier if I easily look at an IP address, and KNOW that it is on a given VLAN, and thus that it's MAC address has been assosciated with a given unit, and I can go to the admins and tell them that I *KNOW* a given machine is on their piece of the network, and that it IS their problem, and hopefully resolve situations WITHOUT completely denying them service. I am there to *PROVIDE* service, after all, and not simply deny it.

I could of course ask for lists of MAC addresses, and maintain logs of IPs assigned without dynamic VLANs, but that would do nothing to address the threat of completely unknown machines being attached by anyone who can get their hands on a bit of cat5.

So... another question I would ask, is how easily *IS* it to centrally administer mac address port security. Certainly telneting/consoling to the switches is out of the question. The work load would simply be too great. I've only recently seen references to a " Cisco Cluster Management Suite" that sounds promising. Anyone worked with this?

While I don't really have the answers to your questions I will give you an example of how the company I work for has their's set up. It is a MAN topology between 4 main hospital campuses and several smaller clinics. So there are thousands of users, hundreds of switches, etc.

The DNS database is manually updated via an html page where we keep user info such as MAC address, phone extension, room #, etc. This is the main place we go when we have an IP or MAC and nothing else.

The network itself is comprised of about 400 or so VLANs and we have port security enabled on some switch ports, but the vast majority are not. Thus we get a lot of unknown laptops plugging into the network that are unpatched and soon appear on our PIX firewall logs. We have the PIX logs going to a syslog server on a Unix box so I usually end up grepping my way through those logs and sorting through the junk. If you are really busy and in need of automating a lot of this you could write a script to grep through the log for suspicous activity, such as port 445, and then e-mail it to you. Then use cron to run the script a few times a day or something.

Regardless, unless you keep an up-to-date database of MAC to IP address mappings and have user contact information you will find it more tedious and time consuming to track people down and notify the responsible persons. VLANs are nice as they can help you easily pinpoint geographic locations if you set them up that way. We have ours so each subnet matches the VLAN number (i.e. VLAN 201 is 134.122.201.x). But other than that there isn't much security put on one VLAN over another so I can't help you there.

I am currently evaluating a similar problem. I am considering a solution that would use MetaInfo's SAFE DHCP: www.metainfo.com/index.cfm/page/Products That would assign a "normal" IP address to a known MAC, unknown MACs would be assigned an IP address on a different VLAN that would be in isolation until that machine was sanctioned and allowed to connect to the "normal" network.

We were considering Dynamic VLANs but we have an extremely varied network infrastructure in place that would make this difficult. Essentially, this would eliminate the potential of rogue PCs connecting to the network and spreading infections etc which is a problem we have been bit by a few times.